When creating an IAM policy, you can assign it an Amazon Resource Name (ARN). ARNs specify the resource for the policy, such as the instances to which to grant S3 management permissions or IAM role permissions to pass to users.

ARNs consist of the following fields:

Field

Description

Partition

The partition, such as AWS Marketplace, Gov Cloud, or C2S, in which the resource is located.

Service

The service being called by the policy, such as IAM or S3.

Region

The region in which the resource resides, such as US West.

Account

The ID of the account to which the resource belongs.

Resource

The resource being specified for the policy. This field varies in format and content depending on the purpose of the policy.

ARN Example

arn:aws:s3:::qcp-*, arn:aws:s3:::qcp-*/*

partition – The resource is located in AWS.

service – The policy is calling the S3 service.

region – A region is not defined for the resource.

account – An account is not defined for the resource.

resource – The resources being specified - and given permissions to manage buckets within S3 – are Q-Cloud Protect instances.

The content of an ARN varies depending on the purpose of the policy. The only required information is an asterisk (*), which provides open access to the policy. In the following topics, we provide suggestions for policy ARNs. We recommend that you create an ARN that fits your unique requirements.